Skip to content

Tighten sandbox by constraining capabilities

Christian Kellner requested to merge sandbox into master

We only need CAP_NET_ADMIN capability for the udev netlink socket manipulations. All other capabilities can be dropped, reducing the damage that can be done. Thanks to Richard Maciel Costa rcosta@redhat.com for hi help on this.

Edited by Christian Kellner

Merge request reports